Lack of process, security culture leaving firms open to cyber-attack

A new white paper from QinetiQ has claimed that a lack of understanding of how to mitigate employee negligence is leaving firms wide open to cyber-attacks.

The white paper identified a clear gap between employee knowledge and their actions, concluding that security training alone will not change employee behaviours.

QinetiQ is advocating a more holistic approach to security, designed with the integration of people, process and technology in mind.

Recent government data has shown that 81 percent of large organisations that were victims of hacking in 2015 stated that the actions of their employees aided the attacker, with 90 percent of large organisations suffering some sort of overall breach.

Despite widespread awareness of this threat, the security consultancy found that most organisations lack a clear understanding of the complex interaction between human behaviour, technology and organisational process.

This often leaves cyber-security processes below par and creates an ideal route for attackers to cause serious damage and disruption to major companies and organisations.

Beverley Allen, group risk manager for the Photobox Group told SCMagazineUK.com, “Employee negligence is certainly a big issue, but first they need to know what the right thing is before you can say what they did was negligent. It may also be corporate negligence in the sense that if the company does not make it easy for its staff to do the right thing, and only the right thing (provide them with the right, secure, tools/applications, have proper procedures in place, enforce policy so that it is complied with at all times, etc.) it is hard to see how the employee doing the wrong thing, ie, acting negligently, is solely the employee's fault – the employer has a responsibility, too.”

The potential consequences of an attack can be devastating and span both financial and reputational damage as seen in the now infamous TalkTalk breach of 2015. Whilst many now acknowledge this threat to their business, QinetiQ suggests that businesses must recognise that there is no silver bullet to preventing an attack. Improving security culture throughout the business requires a long-term, diverse approach.

QinetiQ advises that technology alone cannot deliver sufficient security, rather businesses must address the issue at the heart of the company and create a natural environment for secure employee behaviour.

Simon Bowyer, senior consultant on human performance at QinetiQ and co-author of the paper, told SCMagazineUK.com: “To educate and influence the behaviour of employees is to restrict the easiest attack route into a business. When employees have a natural inclination towards security by virtue of an integrated company ethos, they are motivated to remain alert to risks and unusual behaviours. If firms are to stand a chance against cyber threats, firms must design their security strategy taking into account human behaviour and propensity of employees to act in a security conscious fashion. Firms must work towards a vision, where employees recognise the importance of cyber-security best practice and how even actions that we all take for granted, like checking a Facebook page at lunchtime, could provide cyber-criminals with an avenue into a business.”

Nick Ioannou, head of IT for the Ratcliffs Grove Partnership, added: “QinetiQ, an ex-government military organisation, who believe having a process is the answer for everything and the phrase ‘lack of a security culture' from their perspective probably applies to nearly everyone. Removing admin rights goes a long way to mitigating employee negligence, but historic workarounds may prevent this. There are no silver bullets, one size fits all security solutions, especially when the opportunities for a cyber-attack are so vast and an employee may follow every process yet still fall victim to a cyber-attack due to a hosted exploit on a hacked mainstream website.”

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.